melanie volkamer (research manager) university of passau, innstraße 43, 94032 passau, germany, tel:...
TRANSCRIPT
Melanie Volkamer (Research Manager)
University of Passau, Innstraße 43, 94032 Passau, Germany, Tel: +49 851/509-3021
E-Mail: [email protected]; Webpage: http://www.isl.uni-passau.de
Common Criteria Protection Profile for
a Basic Set of Security Requirements for Online Voting Products
CoE Meeting 16th October 2008, Madrid
Project Formation
DFKI project funded by the BSI
DurationStarting in January 2006
Certification in April 2008
Advisory Board: Researchers: Koblenz, Gießen, Wien, …
Users: GI, Ministry of workers & social affairs, …
Companies: mainly Micromata and T-Systems
Others: CoE, e-Voting.cc, PTB, ASIT, BSI, …
Based on existing requirement documents:CoE, PTB and GI catalogue
Oct16th 2008 2CoE Meeting Madrid
Motivation
Oct16th 2008 3CoE Meeting Madrid
Council of Europe Recommendations
Swiss, Austrian, German Election Regulations
Austrian Election Regulations
IEEE Voting Equipment Standards
Voting System Standards
Network Voting System Standards
PTB requirement catalogue
…..
Good starting point but only lists of requirements
Problems:- Trust model is not defined- Evaluation method and depth is not made explicit
No meaningful evaluation No comparable evaluation results
Solution: Common Criteria
International standard (ISO/IEC15408) for Information Technology Security Evaluation (CC)
Australia, Canada, France, Germany, Japan, Republic of Korea, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States of America; Austria, Czech Republic, Denmark, Greece, Hungary, India, Israel, Italy, Republic of Singapore, Sweden, Turkey
Protection Profile = An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs. [TOE = target of evaluation]
CoE Recommendations made first steps
Oct16th 2008 4CoE Meeting Madrid
Basis Protection Profile
Not „one“ general Protection Profile for Online VotingBecause of different trust models and evaluation depths
Depending on the election in mind (societies vs. parliamentary)
Serves as basis which can be extended
Takes only the voting phase and the counting phase into account.
Oct16th 2008 5CoE Meeting Madrid
Content - Threats
T.UnauthorisedVoter
T.Proof
T.IntegrityMessage
T.SecretMessage
T.AuthenticityServer
T.ArchivingIntegrity
T.ArchivingSecrecyOfVoting
Oct16th 2008 7CoE Meeting Madrid
Content - Assumptions
A.ElectionPreparation
A.Observation / A.AuthData/A.ElectionOfficers
A.VoteCastingDevice /ElectionServer / ServerRoom
A.Availability / DataStorage
A.AuthenticityServer / ProtectedCommunication
A.SystemTime / AuditTrailProtection
A.ArchivingSecrecyOfVoting
A.BufferBallot
Oct16th 2008 8CoE Meeting Madrid
Content - OSPs
P.Abort / OverhasteProtection / Correction / ACK
P.EndingElection
P.EndOfElection / StartTallying
P.SecrecyOfVotingElectionOfficer / IntegrityE.O./ IntermediateResult / AuthE.O.
P.OneVoterOneVote
P.Tallying
P.Failure
P.Audit
Oct16th 2008 9CoE Meeting Madrid
Content – Evaluation Depth
CC EAL scale from 1 to 7
Evaluation Assurance Level 2+ALC_CMC.3 (substituting ALC_CMC.2)
ALC_CMS.3 (substituting ALC_CMS.2)
ALC_DVS.1
ALC_LCD.1
Assumed attacker potential: basic
Oct16th 2008 11CoE Meeting Madrid
Election Authorities
Does the trust model fits to your environment?
Does EAL 2+ provides enough trust in the evaluation
If not the PP can be extended byShifting assumptions to threats
Arising the EAL number
Demand the systems in use to be certified according to this Protection Profile or an extended version
Oct16th 2008 12CoE Meeting Madrid
Thank your for your attention
? Questions ?
http://www.bsi.bund.de/zertifiz/zert/reporte/pp0037b_engl.pdf